René Bauer | 24 Oct 11:19 2014
Picon

Problem with SLR rule 2200001

Hello,

starting today we have a problem with the SLR rule 2200001 from modsecurity_slr_50_malware_detection.conf. At the beginning of the file malware_payloads.txt which is used by that rule there is a line "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">". This line matches with the standard Apache mod_rewrite RewriteRule response and blocks all redirect traffic.
Can anybody tell me why this line and lines like "<h1>Service Temporarily Unavailable</h1>", "<p>The server is temporarily unable to service your", and "<title>503 Service Temporarily Unavailable</title>" are considered malicious code? 

Ciao,
Rene
--

Mit freundlichen Grüßen
René Bauer

on-collect solutions AG
Standorte:
Karlstraße 3 in 89073 Ulm
Marktplatz 20 in 89257 Illertissen

Telefon: +49 (0) 73 03 – 95 28 94 - 550
Fax: +49 (0) 73 03 – 95 28 94 - 511
E-Mail: r.bauer <at> on-collect.de
Web: www.on-collect.de

Vorstand Dr. Joachim Schmid
Vorsitzender des Aufsichtsrates Dr. Georg Nüßlein
Amtsgericht Ulm HRB 730793  -  Steuernummer: DE246631672

_____________________________________________________________
Diese E-Mail enthält vertrauliche und rechtlich geschützte Informationen und gilt ohne Unterschrift. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese Nachricht. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
_____________________________________________________________
This e-mail is confidential and may well also be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system.
Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence. Thank you for your cooperation.
_____________________________________________________________

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Tom Chiverton | 23 Oct 14:05 2014

Can't seem to prevent matches being listed in Apache error_log

Hi,

I have a production machine where we're using mod_security in front of largely static applications.

We don't need matched rules to be logged to the Apache error_log, but I can't seem to turn this off.

This is a standard install on Ubuntu, with /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf set to
SecDefaultAction deny,nolog,auditlog

I've tried both
SecDebugLogLevel 0
and
LogLevel security2_module:crit
but I'm still getting output in the error_log.

Am I going about this in the wrong way ?

--
extravision Signature
Tom Chiverton | Lead Developer | Extravision
T: 0161 817 2922 | W: www.extravision.com | T: twitter.com/extravision | E: tchiverton <at> extravision.com
.
.
 A fresh approach to email marketing 
.
Registered in the UK at : 107 Timber Wharf, 33 Worsley Street, Manchester, M15 4LD. Registration number: 05017214 VAT: GB 824 5386 19

Disclaimer: This e-mail is intended solely for the person to whom it is addressed and may contain confidential or privileged information. If you have received it in error please notify us immediately and destroy this e-mail and any attachments. In addition, you must not disclose, copy, distribute or take any action in reliance on this e-mail or any attachments. Any views or opinions presented in this e-mail are solely of the author and do not necessarily represent those of Extravision Ltd. E-mail may be susceptible to data corruption, interception, unauthorised amendment, viruses and delays or the consequences thereof. Accordingly, this e-mail and any attachments are opened at your own risk.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ryan Barnett | 22 Oct 23:57 2014

Welcoming Chaim Sanders to the SpiderLabs Research Team

I wanted to send a note out to the ModSecurity community to introduce Chaim Sanders - https://www.linkedin.com/pub/chaim-sanders/13/237/a7a.  He is joining the SpiderLabs Research team where he will be focusing on supporting the ModSecurity project and community.  This means he will help out answering emails from the community on these mail-lists, help Felipe Costa with development on our Github repos, creating new signatures for OWASP CRS/Commercial Rules and also helping to delivery professional services from Trustwave for our commercial customers.  Needless to say, we have a lot of work for Chaim and we are thrilled to have him on the team.  His background in web application pentration testing gives him a great "Know Your Enemy" perspective to bring to web application defenses like ModSecurity.

Please join me in welcoming Chaim.

Thanks.

Ryan Barnett

Senior Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Brian Clark | 21 Oct 04:34 2014

Troubleshooting ModSecurity IIS Module Conflicts

I found the source of my ModSecurity/AJAX/CORS issue‹it is some kind of
conflict between IIS and a custom IIS module I have running in my web app.

Any advice on troubleshooting issues between ModSecurity and custom IIS
Modules?

Thanks,
Brian

Restaurant.com - Best Deal. Every Meal.

Restaurant.com is the trusted and valued source connecting diners, restaurants, businesses and
communities since 1999. The company offers savings at thousands of restaurants nationwide with more
than 30,000 gift certificate options. The Restaurant.com Independent Consultant program offers
thousands of self-employment opportunities to individuals that want to earn money while helping
Restaurant.com to expand to more restaurants, businesses and communities nationwide. To date,
Restaurant.com customers have saved more than $1 billion through the gift certificate program filling
more than 3.5 million tables annually. Restaurant.com is a pioneer in the restaurant deal space and is
headquartered in Arlington Heights, IL.

Smartphone and iPad users: download our app -
iPhone<https://itunes.apple.com/us/app/restaurant.com/id488860392?ls=1&mt=8>,
iPad<https://itunes.apple.com/us/app/restaurant.com/id488860392?ls=1&mt=8> and Android<https://play.google.com/store/apps/details?id=com.restaurant.mobile>

Learn more about Restaurant.com https://sales.restaurant.com/Overview
Find dining deals near you http://www.restaurant.com
Make money with Restaurant.com https://sales.restaurant.com/MakeMoney

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Brian Clark | 18 Oct 20:59 2014

Blocking AJAX CORS requests?

Hello,

We use AJAX and CORS as part of a login form on our website. For some
reason, ModSecurity 2.8.0 for Windows seems to be preventing this from
working properly. However, nothing shows up in the debug logs (level = 9)
showing that anything had been blocked. I can see in the logs that
ModSecurity is receiving the HTTP Post with the email/password login
values. The debug.log does not show any any positive rule hits. Also, I¹m
in detect-only mode so it shouldn¹t be dropping anything.

My thought was that something in the outbound rule set is modifying the
response in some way, but I disabled it and still had the issue. When I
disable ModSecurity entirely, login works just fine.

I am using the base CRS rules that are installed by default by the
ModSecurity installer.

Any thoughts on how to troubleshoot this? Without anything showing up in
the debug.log I am lost.

Brian Clark

Restaurant.com - Best Deal. Every Meal.

Restaurant.com is the trusted and valued source connecting diners, restaurants, businesses and
communities since 1999. The company offers savings at thousands of restaurants nationwide with more
than 30,000 gift certificate options. The Restaurant.com Independent Consultant program offers
thousands of self-employment opportunities to individuals that want to earn money while helping
Restaurant.com to expand to more restaurants, businesses and communities nationwide. To date,
Restaurant.com customers have saved more than $1 billion through the gift certificate program filling
more than 3.5 million tables annually. Restaurant.com is a pioneer in the restaurant deal space and is
headquartered in Arlington Heights, IL.

Smartphone and iPad users: download our app -
iPhone<https://itunes.apple.com/us/app/restaurant.com/id488860392?ls=1&mt=8>,
iPad<https://itunes.apple.com/us/app/restaurant.com/id488860392?ls=1&mt=8> and Android<https://play.google.com/store/apps/details?id=com.restaurant.mobile>

Learn more about Restaurant.com https://sales.restaurant.com/Overview
Find dining deals near you http://www.restaurant.com
Make money with Restaurant.com https://sales.restaurant.com/MakeMoney

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Abhijit Mitra | 17 Oct 02:01 2014
Picon

Same audit log directory for multiple ModSec installations?

Can I have the same audit log directory for multiple ModSec installations? Assume concurrent logging, in which case I am assuming no conflicts writing files unless 2 installs pick the same transaction ID. Is that right?

Thanks.

--
Abhi Mitra
GSEC, ITIL
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Dan Goldberg | 16 Oct 19:53 2014
Picon

inconsistent 413 status codes

Hi,
I have an interesting (to me) issue with some basic modsecurity
settings on Ubuntu servers.

I have SecRequestBodyAccess On and SecRequestBodyLimit set to
something small (for testing).
When a file upload exceeds that size
Apache logs the expected:
"ModSecurity: Request body (Content-Length) is larger than the
configured limit (16384000). Deny with status (413)"

The application in this case is a ruby web app, and it never indicates
to the user that anything has happened, watching the traffic show the
client received: "net::ERR_CONNECTION_RESET" which is not a status
413. We have trapped the code and never see anything back from the
server.

So Modsecurity claims to send a specific status, and the client never sees it.
Does anyone have and ideas what is going on or how to troubleshoot
this on the modsecurity side?

thanks Dan

--

-- 
--
Dan <at> madjic.net

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Christopher Stanley | 16 Oct 19:23 2014
Picon

Latest libxml2 port to RHEL4

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Tobi | 14 Oct 11:12 2014
Picon

Problem with allowed_http_versions

Hi list

I'm quite new to mod_security but have a problem which I could not explain.
Have mod_security in reporting mode

I'm running
mod_security 2.8.0 (built from source)
apache 2.4.9 (built from source)

I have this in mod_security_crs_10_setup.conf

SecAction \
  "id:'900012', \
  phase:1, \
  t:none, \
  setvar:'tx.allowed_methods=GET HEAD POST', \

setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json',
\
  setvar:'tx.allowed_http_versions=HTTP/1.1', \
  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/
.bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/
.csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/
.ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/
.pwd/ .resources/ .resx/ .sql/ .$
  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/', \
  nolog, \
  pass"

which should allow HTTP/1.1 only

In modsecurity_crs_30_http_policy.conf I have

SecRule REQUEST_PROTOCOL "! <at> within %{tx.allowed_http_versions}"
"phase:2,t:none,block,msg:'HTTP protocol version is not allowed by
policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960034',tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

According to my understanding HTTP/1.1 requests should be allowed. But I
always get the following in the audit log

Message: Warning. Match of "within %{tx.allowed_http_versions}" against
"REQUEST_PROTOCOL" required. [file
"/usr/local/apache24/conf/modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf"]
[line "78"] [id "960034"] [rev "2"] [msg "HTTP protocol version is not
allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag
"OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag
"OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]

Why is HTTP/1.1 not matched by %{tx.allowed_http_versions} ?

Thanks for any idea how to fix this

tobi

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Felipe Costa | 13 Oct 14:33 2014

Re: [Mod-security-rules] mod sec rule to execute lua script

Hi,

You can work on the top of that script to create your own customization and add your logic. If it fails for some reason it will be easier to identify.

As Ryan pointed out, here is an example of script that makes usage of the variables that you are also interested:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/lua/gather_ip_data.lua


Br.,

Felipe "Zimmerle" Costa

Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND


From: kinomakino <kinomakino <at> hotmail.com>
Date: Monday, October 13, 2014 5:37 AM
To: Felipe Costa <fcosta <at> trustwave.com>
Subject: RE: [Mod-security-rules] mod sec rule to execute lua script

<!-- /* Font Definitions */ <at> font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} <at> font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} span.EstiloCorreo17 {mso-style-type:personal; font-family:Arial; color:windowtext;} span.EstiloCorreo20 {mso-style-type:personal-reply; font-family:Arial; color:navy;} <at> page Section1 {size:595.3pt 841.9pt; margin:70.85pt 3.0cm 70.85pt 3.0cm;} div.Section1 {page:Section1;} -->

Thanks for the help.

I run this simple script, I see in the log modsec 3 lines.

run the rule that appears, modified with an exec: script.lua.

You have to place the script somewhere specific?

Thank you !!

 

--ff4b7e3b-H--

Message: Test message 1.

Message: Test message 2.

Message: Test message 3.

Message: Access denied with code 403 (phase 2). Matched phrase "nikto" at REQUEST_HEADERS: User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "20"] [id "990002"] [rev "2"] [msg "Request Indicates a Security Scanner Scanned the Site '] [data "nikto"] [severity "CRITICAL"] [see "OWASP_CRS / 2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS / AUTOMATION / SECURITY_SCANNER"] [tag "WASCTC / WASC -21 "] [tag" OWASP_TOP_10 / A7 "] [tag" PCI / 6.5.10 "]

Action: Intercepted (phase 2)

 

 

De: Felipe Costa [mailto:FCosta <at> trustwave.com]
Enviado el: viernes, 10 de octubre de 2014 13:50
Para: kinomakino
Asunto: Re: [Mod-security-rules] mod sec rule to execute lua script

 

Hi,

 

Did you tried a simple script such as:

 

Can you check if it works for this simple script?

 

Br.,

Felipe "Zimmerle" Costa

Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

 

 

 

From: kinomakino <kinomakino <at> hotmail.com>
Date: Friday, October 10, 2014 8:33 AM
To: "mod-security-rules <at> lists.sourceforge.net" <mod-security-rules <at> lists.sourceforge.net>
Subject: [Mod-security-rules] mod sec rule to execute lua script

 

As always,thanks for the help.
I'm playing with a lua script from mod security (exec: /var/scripts/script.lua)
the target is ip ban in iptables source that triggers the rule.

I get receive the REMOTE_ADDR variable,butI mod_secalert appears:
Message: Lua: Script execution failed: attempt to call anilvalue

The variable takes the script, because towritea testlog.
The lua scriptisas follows:
Local remote_addr = m.getvar ("REMOTE_ADDR");
Local log_file = "/tmp/lua_tmp.log"
file = io.open (log_file, "a")
file: write (remote_addr)
file: write ("\ n")
file: close ()
print ("0")

you have information about thiserror?
Thank you !!!

 


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Jutichai Thongkrachai | 13 Oct 10:29 2014
Picon

Cannot do a white list for bypassing one computer through mod_security

Hello,


I want to bypass an ip address through mod_security. So, I can access my Snorby web page instead of "403 forbidden" page I try to configure my mod_security.conf at /etc/httpd/conf.d/ by doing as this link https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-Frequently-Asked-Questions-%28FAQ%29#How_do_I_whitelist_an_IP_address_so_it_can_pass_through_ModSecurity


but when I restart Apache, Apache cannot start because Syntax error in mod_security.conf that I add a white list although I do as the above link.


How can I solve this problem?


In my server, I have
- mod_security 2.7.3
- OWASP Core Rule Set 2.2.9
- apache 2.4
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane